Review of Getting Started with OAuth 2.0

I’ve been looking for an OAuth 2.0 book for a while. The specification is still being developed while, at the same time, big Internet players like Google, Facebook, Yahoo, or Twitter are already using some flavor of it. Although as a developer you’ll eventually rely on a library to abstract most of the complexity, you still want to understand the big picture. And because OAuth 2.0 is still an ongoing process, the situation is a bit of a mess right now where each authorization server is implementing different revisions with subtle differences.

This is where this book comes in. In about 60-70 pages it clarifies the current situation. It starts providing a historical introduction to the protocol and how it’s related with initiatives pre-OAuth 1.0 and with OAuth 1.0 itself (removal of proprietary technologies, improved security). You’ll learn the rationale behind this revision (new client profiles in particular) and some of the key features still under discussion. In particular “signatures”, where Eran Hammer, the protocol editor, is openly opposed to not including them (and after reading his thoughts, I think he’s right).

One chapter I specially loved is the one dedicated to OpenID Connect, the next evolution of OpenId. I’ve seen developers confused about the differences between OAuth (authorization) and OpenID (authentication) and this book differentiates them well. Interestingly, although they still keep different purposes, the new OpenID Connect will now be developed on top of OAuth–which makes sense, as you’ll find out in the book.

The code accompanying the text is just fine. You’ll see some actual implementations of the workflow in PHP and JavaScript that are easy to read (even a Google App Engine Python at the end – which I appreciate). I especially liked that it includes JSON responses where you can actually see the typical parameters to better understand the information you’re exchanging (and prepare your data models). Chapter 6 is dedicated to the workflow in native apps for mobile devices. There is no code in this part, but it has enough information to point you on the right direction.

Where the book falls short in my opinion is in providing better guidance for developers willing to be authorization servers and not just clients of the protocol. OAuth 2.0 will only be successful if all API providers are able to implement it (big and small) and that’s where this book could have done a better job. For example, recommending some web frameworks capable of OAuth 2.0 in Chapter 8 (“Tools and Libraries”).

Getting Started with OAuth 2.0” by Ryan Boyd is an easy read that answers right questions (like what’s new in 2.0? which are the new client profiles? when should I use each one? what do I do if the access token expires or gets revoked?) and then can also be used as a simple reference of the workflows when you’re actually implementing your app.

Disclaimer: Like before, this blog post is part of O’Reilly’s Blogger Review Program.